- Knowbe4 is in custody against a new phishing campaign taking advantage of the automation of the workflow of Google Appsheets
- E-mails identify Facebook and collect connection identification information
- Attackers can also enter session tokens
Cybercriminals abuse a legitimate Google service to bypass e-mail protection mechanisms and deliver phishing emails directly to people’s reception boxes.
The Knowbe4 cybersecurity researchers, who first spotted attacks, warned that the crooks use Google Appsheet, a code development platform without code and web applications, and via its workflow automation was able to send emails using the address “[email protected]”.
Phishing emails imitate Facebook and are designed to encourage people to give their connection identification information and codes 2FA for the social media platform.
2FA codes and session tokens
The emails, which were sent in Bulk and on a fairly large scale, came from a legitimate source, successfully bypassing Microsoft and secure the bridges by e-mail (SEG) which are based on the reputation of the domain and the authentication checks (SPF, DKIM, DMARC).
In addition, as appsheettes can generate unique IDs, each email was slightly different, which also contributed to bypass traditional detection systems.
The emails themselves have usurped Facebook. The crooks tried to deceive the victims thinking that they have broken the intellectual property of someone and that their accounts were to be deleted within 24 hours.
Unless, of course, that they submit a call via a “Submit a call” button conveniently placed in the email.
Click on the button leads the victim to an imitant Facebook destination page, where they can provide their connection identification information and the 2FA codes, which are then relayed to the attackers.
The page is hosted on Vercel which, according to Knowbe4, is a “deemed platform known for the accommodation of modern web applications”. This further strengthens the credibility of the campaign.
The attack has some additional possibilities. The first attempt at a journalization returns a “bad password” – not because the victim has typed in the wrong identification information – but in order to confirm the submission.
In addition, the 2FA codes provided are immediately subject to Facebook and in return – the crooks seize a session token which grants them the persistence even after a change of password.
